Newsletter & GDPR: The 2026 Checklist

GDPR-compliant newsletter marketing is not legal luxury — it is the prerequisite for being allowed to send at all. And at the same time the topic where many companies get sloppy until the first warning letter arrives. This checklist gives you the complete overview — hands-on, current in 2026, with a clear action per point.

Why GDPR is more important than ever in 2026

Two developments sharpened the situation:

1. Schrems II and the resulting problems with US tools: data transfer to third countries without sufficient safeguards is a core risk.
2. AI features in email marketing raise new questions: who processes the data, where does it sit, which models are trained?

GDPR itself stays the same at its core — but its interpretation tightens.

The 17-point checklist

Legal basis and consent (points 1–5)

1. Double opt-in active.
Only active confirmation via click on a link in a separate email is legally sound in the German-speaking market. Mailaura enables DOI by default.

2. Consent documented.
Per subscriber, store: timestamp, IP address, form used, consent text. Mailaura stores this automatically.

3. Checkbox not pre-ticked.
Required since 2018. Pre-ticked boxes are invalid — the user must actively consent.

4. No "bundling" violation.
Newsletter consent cannot be a precondition for another service ("whitepaper only with newsletter sign-up" without alternative = problematic).

5. Consent text clear and understandable.
The wording must let the reader see what they are agreeing to. Suggested:

"Yes, I want to receive the Mailaura newsletter. I can revoke consent at any time via the unsubscribe link in every email. Privacy policy: [link]."

Data processing (points 6–10)

6. Data minimisation.
Collect only fields you use. Date of birth only for birthday mails, industry only for segmentation.

7. Purpose binding documented.
The privacy policy lists which fields are collected for which purposes.

8. Data Processing Agreement (DPA) signed.
With your newsletter tool (e.g. Mailaura). Mailaura provides one automatically in the account.

9. Technical security: encryption.
Transfer only via HTTPS/TLS, storage encrypted. Standard at serious EU tools.

10. Sub-processing transparent.
If Mailaura uses e.g. AWS for sending, that is documented in the DPA. As controller, you must know this chain.

Rights of data subjects (points 11–13)

11. Unsubscribe anytime (Art. 7(3) GDPR).
One-click unsubscribe link, no login, no form. Additionally, List-Unsubscribe header set.

12. Right to access (Art. 15).
Subjects can learn at any time which data is stored. Mailaura provides self-service for this.

13. Right to erasure ("right to be forgotten", Art. 17).
Data deleted within a reasonable timeframe after unsubscribe — except for legally required consent proofs.

In the newsletter itself (points 14–17)

14. Legal notice obligation fulfilled.
Complete legal notice in the footer. Details: Newsletter legal notice.

15. Privacy policy linked.
Best in the footer of every newsletter email.

16. No misleading statements.
Sender, subject and content must match. "Re: your request" as a subject for a pitch = actionable.

17. Advertising label for promotional content.
If a newsletter is primarily advertising, the promotional nature must be clearly recognisable.

The three GDPR traps that catch pros too

Trap 1: imported legacy lists

You bring 50,000 addresses from another tool. Problem: for these addresses, no DOI confirmation is documented. Solution: re-confirmation campaign ("confirm again so we may write to you"). Yes, you lose 60–80 % of the list. No, alternatives are not legal.

Trap 2: incentivised sign-ups

"Subscribe and win an iPad." The coupling between newsletter sign-up and raffle invalidates consent if the primary goal is advertising.

Trap 3: tracking pixel without notice

Open and click tracking is data processing. It must be addressed in the privacy policy. "We track opens to optimise our newsletters" belongs in the privacy policy AND ideally in a separate section of the consent text.

US tools and GDPR

After Schrems II, using US-based newsletter tools (Mailchimp, HubSpot, Klaviyo) is not automatically forbidden but clearly higher risk. Requirements:

• Standard contractual clauses (SCC) per EU decision 2021/914.
• Additional measures: encryption, anonymisation, access controls.
• Risk assessment documented in your records of processing activities.
• Weighing whether an EU alternative is available.

Practically: for most DACH companies, an EU-native tool like Mailaura or CleverReach is the lower-risk choice.

What belongs in the records of processing activities (ROPA)

A newsletter entry in the ROPA includes:

• Purpose: newsletter sending
• Data subjects: subscribers
• Data categories: email, name (optional), behaviour data
• Recipients: tool provider (e.g. Mailaura), sub-processors
• Third-country transfer: yes/no, if yes which safeguards
• Retention periods: inactivity after 24 months + revocation handling
• Technical and organisational measures: reference to DPA

Fines and warning letters

Fines under Art. 83 GDPR can reach 20 million euros or 4 % of global revenue. In practice for newsletter violations usually: warning letters of 300–2,500 €; serious violations lead to lawsuits with cost risk.

Step-by-step setup in Mailaura

1. Create an account, enter company details → automatic DPA generation.
2. Create a form with the checkbox and privacy link (default).
3. Customise the double opt-in email: company name, short confirmation ask.
4. Enable the legal-notice footer with your company details.
5. Enable GDPR reports: dashboard shows per-contact consent history.

Conclusion

GDPR-compliant newsletter sending is not rocket science, but it is discipline. Set up 17 points once cleanly, and you are compliant. With Mailaura you get most of these points automatically. If the basics are not yet in place, read How to create a newsletter first.